CVE-2026-26239: File Station 5
A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 5.5.6.5208
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A buffer overflow vulnerability affects QNAP File Station 5 (versions 5.5.0 through 5.5.6.5208). The flaw is reachable over the network and requires a low-privilege user account, meaning any authenticated user can trigger it without additional interaction from another party. Successful exploitation lets an attacker modify memory or crash running processes, enabling data tampering and service disruption. A patched-image rebuild at version 5.5.6.5208 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-26239 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images, within minutes of ingestion from upstream advisory feeds. Any image running File Station 5 below version 5.5.6.5208 is flagged automatically during registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 8.7 HIGH (CVSS v4.0) and applies per-environment compliance policy weighting to prioritize alert routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at File Station 5 version 5.5.6.5208 becomes available through HarborGuard once an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the File Station 5 service over the network; no local or physical access is needed.
- AuthenticationRequired
A low-privilege user account is sufficient; no administrative or elevated credentials are required beyond basic login access.
- Victim interactionNot required
No action from another user or victim is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or specific memory layout dependencies required.
Blast Radius
- Attacker writes arbitrary data to process memory, enabling code or control-flow manipulation within the File Station 5 process.
- Attacker crashes one or more File Station 5 processes, denying file access and management functionality to all users of the affected system.
- Attacker reads or corrupts in-memory file metadata, stored credentials, or session state handled by the running process.
- Combined memory modification and process crash capability gives the attacker persistent disruption and potential for escalated impact on co-located services.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-26239 is active across all scanning environments, matching images against the affected version range (File Station 5 versions 5.5.0 through below 5.5.6.5208) within minutes of publication. For environments with auto-remediation enabled, HarborGuard can rebuild the affected image at version 5.5.6.5208, execute regression tests, and open a pull request against affected workloads; for high-severity issues like this one, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the rebuilt image at the fix version is staged and a triage alert is routed to the designated team inbox for review and promotion.
Fix available
- QNAP Systems Inc. / File Station 5< 5.5.6.5208 (from 5.5.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N